Things to Consider in Your IAM Strategy: Secure Multi-Cloud Services

Last updated: 15 July 2018

The growing popularity of Cloud services (IaaS, PaaS, and SaaS) solutions in global organizations probably comes as no surprise— enterprises can purchase the features and services their developers need, and scale up or down as the organization evolves – and they can deliver numerous applications quite easily from the cloud. Although some cloud services offer enterprises predictable expenses, the security of these cloud services is less predictable. Such a diverse cloud estate has become a challenge for risk officers, CISOs and IT teams managing different groups of users. These range from remote workers and contractors, administrators of privileged accounts, to standard, in-house employees. Fortunately, you can adopt cloud access management measures for an effective digital transformation strategy, as this 3-part blog series addresses.

PART 1 What is the best way to secure multiple cloud services?

CISOs need to keep their eyes on security for Infrastructure as a Service (IaaS), with Microsoft Azure and Amazon AWS featured significantly. Gemalto’s Breach Level Index reports that identity theft has been the most common mode of attack used in data breaches in 2016 and the first half of 2017.

Poor password management

Azure and AWS are leading the market for hosting custom-developed applications and have also been prone to identity thefts. According to Microsoft’s Security Intelligence report, there has been a 300% rise in cyber attacks, many resulting from compromised passwords. The report said: “A large majority of these compromises are the result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services.”

Holes in the IaaS buckets

As for Amazon, many breaches occurred on S3 buckets, the servers used for storing databases for organizations including tech giants and government. Although made known to the media recently, many of the stories state that the cloud networks were open for weeks and months, giving ample time for cybercriminals to take advantage of the security holes. One leak involved a third-party contractor (un-named by any of the affected organizations) who misconfigured an Amazon S3 server and leaked 50,000 records of Australian employees. In another media story, Accenture misconfigured an Amazon server, accidentally exposing more than 137 gigabytes of data, including databases of numerous credentials. And we’re not talking about one or two sensitive records: Nearly 40,000 stored passwords were found in one of the database backups!

Security per single service is not sufficient

You could argue that securing one IaaS alone would be enough to reduce security breaches, but according to the 2018 Global Cloud Data Security Study, (conducted by the Ponemon Institute and sponsored by Gemalto) cloud infrastructure applications such as online backup, virtual desktops and other tools have grown significantly during the past three years. The type of enterprise data stored in the cloud is also the data most at risk, including emails, customer information, consumer data, employee records, and payments.

With such risk in mind, how can you manage multiple cloud applications effectively?

Use multi-factor authentication
Employ an access management solution that can support different methods of authentication and different assurance levels. With this approach, you can match the level of assurance to the types of users accessing a resource, and require more than one factor of authentication for different groups. Users who need access to third-party servers may require stricter policies as their activities pose a higher risk to the enterprise.

Limit access to third-party servers
Ensure that the access management solution you use can support flexible policy configuration. This way you’ll be able to set policies that are in line with the specific business needs of your organization: For example, create policies for privileged users, for PCI data access, or for contractors configuring third-party servers. Each policy can be tailored to the security and access needs of your organization.

Migrate painlessly
Use an access management solution that can handle existing MFA methods that may already be used in your organization. For example, passwords, OTP, SMS or certificate-based authentication (PKI). This will allow you to leverage your existing investment without having to rip and replace a new solution, and scale to secure access for cloud applications.

Use a future-ready solution
Proprietary access control features offered by IaaS services may not interoperate with other cloud services. As you diversify your IaaS and PaaS environment, you will be better served by an access management solution that can support all your cloud access needs and provide a central pane of glass for setting policies for groups of users and applications – regardless of which service provider is being used to deliver apps.

One size doesn’t have to fit all

Due to the wide range of approaches to cloud application deployment, it is hard for security professionals to apply a one-solution-fits-all for all company applications, as they can be hosted in public or private clouds, or on-premises. Special training would be needed for personnel to configure each console, group of users and assurance level.

Privileged user consoles are especially vulnerable. Read Part 2 of this Cloud Access Management security series to discover what happens when cyber criminals hack credentials of privileged users and gain access to cloud-based admin consoles.